Getting any Facebook user's friend list and partial payment card details (opens in new tab)

(josipfranjkovic.com)

416 pointsfranjkovic8y ago91 comments

91 comments

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

bostik8y ago

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

jomkr8y ago

I work at one of the other Big4 and to be honest it's not that impressive. This kind of report would be a high severity ticket, the person on-call for the given team would get paged, and wouldn't stop working/escalating until it got fixed.

Obviously not all companies behave this way, but they should!

1 more reply

cheeze8y ago

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

wolco8y ago

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

2 more replies

aje4038y ago

If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

2 more replies

user59944618y ago

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

2 more replies

yashap8y ago

Agreed! Security bugs are going to happen in any sufficiently large piece of software (that wasn’t written by djb). The important thing is to work hard towards minimizing them, and fixing them quickly once found - seems to me Facebook does a good job on both of these points.

chirau8y ago

Who is djb?

1 more reply

johnchristopher8y ago

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

jpollock8y ago

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

packetized8y ago

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

2 more replies

asdfjklas8y ago

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

pinkythepig8y ago

First 6 is shared across the cards a particular bank issues. Its not a secret as you can google the first 6 to find the bank or even the reverse google the bank to see what BINs they use. Last 4 is intended to be human visible so people can identify the card in use. When you factor in the check digit ruling out 90% of the remaining combinations, there are still 10,000 valid cc combinations plus an expiration date you would have to guess just to get a single acct.

1 more reply

jpollock8y ago

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.

The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery[2]. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

philipodonnell8y ago

Random question I've never found a place to ask before. Is there a formal language or method for specifying information like this, where I could map out different pieces of data and reason about how the pieces of data flow through a system, to prove mathematically that two (or n) pieces of data are never available in the same place?

1 more reply

tehlike8y ago

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

1 more reply

tintor8y ago

".. Facebook's team .."

Most likely a single dedicated person at FB.

gambiting8y ago

I guess it's cultural, but I have observed many times that especially in America, there is a lot of emphasis on individualism - the cult of the person and their own achievements is placed above all else.

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

sigsegv0xb8y ago

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

1 more reply

sneak8y ago

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

zitterbewegung8y ago

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

stormbrew8y ago

Wait, why would facebook have CC info? I have never paid facebook for anything (except in terms of ad views), and I'm not even sure what I could pay them for? Posting ads I guess? But that's gonna be not a lot of people.

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

kfrzcode8y ago

> Posting ads

Advertisement is Facebook's #1 revenue model, its literally why they exist. I wish everyone who's used FB would sign up for a business page and place an ad; it's illuminating to see just how detailed their tools are.

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

jlarocco8y ago

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

dave51048y ago

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

pbhjpbhj8y ago

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

tjbiddle8y ago

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

amasad8y ago

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

wongmjane8y ago

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers internally to show how to display a list of "oneself's friends with auto-pagination" using GraphQL and ComponentScript inside their Facebook main app

P.S. I don't work at Facebook. But this is something I stumbled across their app.

amasad8y ago

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

1 more reply

dirkdk8y ago

What bounty did he receive for filing this?

sp3328y ago

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

hooksfordays8y ago

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

zaidf8y ago

Friend List can be made private through your privacy settings.

j / k navigate · click thread line to collapse

91 comments

tannerc8y ago

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

bostik8y ago

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

jomkr8y ago

Obviously not all companies behave this way, but they should!

1 more reply

cheeze8y ago

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

wolco8y ago

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

2 more replies

aje4038y ago

If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

2 more replies

user59944618y ago

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

2 more replies

yashap8y ago

chirau8y ago

Who is djb?

1 more reply

johnchristopher8y ago

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

jpollock8y ago

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

packetized8y ago

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

2 more replies

asdfjklas8y ago

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

pinkythepig8y ago

1 more reply

jpollock8y ago

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.

The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

philipodonnell8y ago

1 more reply

tehlike8y ago

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

1 more reply

tintor8y ago

".. Facebook's team .."

Most likely a single dedicated person at FB.

gambiting8y ago

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

sigsegv0xb8y ago

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

1 more reply

sneak8y ago

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

zitterbewegung8y ago

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

stormbrew8y ago

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

kfrzcode8y ago

> Posting ads

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

jlarocco8y ago

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

dave51048y ago

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

pbhjpbhj8y ago

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

tjbiddle8y ago

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

amasad8y ago

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

wongmjane8y ago

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

P.S. I don't work at Facebook. But this is something I stumbled across their app.

amasad8y ago

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

1 more reply

dirkdk8y ago

What bounty did he receive for filing this?

sp3328y ago

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

hooksfordays8y ago

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

zaidf8y ago

Friend List can be made private through your privacy settings.

j / k navigate · click thread line to collapse